Changeset 5590 in subversion
- Timestamp:
- Dec 9, 2011 8:50:03 PM (19 months ago)
- Location:
- trunk/roundcubemail
- Files:
-
- 2 edited
-
program/lib/washtml.php (modified) (1 diff)
-
tests/src/BID-26800.txt (modified) (2 diffs)
Legend:
- Unmodified
- Added
- Removed
-
trunk/roundcubemail/program/lib/washtml.php
r5586 r5590 169 169 $value .= ' url('.htmlspecialchars($src, ENT_QUOTES) . ')'; 170 170 } 171 else if (preg_match(' /^(http|https|ftp):.*$/i', $match[2], $url)) {171 else if (preg_match('!^(https?:)?//[a-z0-9/._+-]+$!i', $match[2], $url)) { 172 172 if ($this->config['allow_remote']) 173 173 $value .= ' url('.htmlspecialchars($url[0], ENT_QUOTES).')'; -
trunk/roundcubemail/tests/src/BID-26800.txt
r2323 r5590 11 11 <p><div> block</p> 12 12 <div style="font-style:italic">valid css</div> 13 <div style="color:red; background:url('//somedomain.com/somepath/somefile.png')"> 13 14 <div style="{ left:expression( alert('expression!') ) }"> 14 15 <div style="{ background:url( alert('URL!') ) }"> … … 17 18 <p>Inject comment text</p> 18 19 <div style="{ left:exp/* */ression( alert('xss3') ) }"> 19 <div style=" { background:u/* */rl( alert('xssurl3') ) }">20 <div style=" background:u/* */rl( alert('xssurl3') ) "> 20 21 21 22 <h1>4 test</h1>
Note: See TracChangeset
for help on using the changeset viewer.
